aboutsummaryrefslogtreecommitdiff
path: root/src/vmod_remoteip.vcc
blob: 55b161e36ca2376c268fef9c71097ce740b6a476 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

$Module remoteip 3 "Return probable IP address based on request headers"

DESCRIPTION
===========

This modules is for Varnish Cache what mod_remoteip is for Apache. It
determines the actual client IP address for the connection, using the
useragent IP address list presented by a proxies or a load balancer
via the request headers and a preconfigred list of trusted IP
addresses.  For example, if your Varnish server works behind a load
balancer or yet another reverse proxy (such as pound or haproxy to
handle the TLS connection), you can use this module to get the real
incoming connection IP address from the **X-Forwarded-For** header.

$Event remoteip_event
        
$Function VOID init(PRIV_VCL, STRING trusted)

Description
    Initializes the module.  The **trusted** argument is a string
    containing comma-separated list of IP addresses of hosts which
    are trusted to correctly set the value of the **X-Forwarded-For**
    header (or other header whose value is used as argument in the
    **remoteip.get** call, which is described below).  Arbitrary
    amount of whitespace is allowed to surround each address.
    Each address cna be a valid IPv4 or IPv6 address, optionally
    followed by a slash and the netmask or netmask length.
        
$Function STRING get(PRIV_VCL, STRING header)

Description
    The **header** argument is the value of the **X-Forwarded-For** 
    or a similar header, i.e. a comma-delimited list of useragent
    IP addresses with optional whitespace around them.  The
    function scans this list from right to left, comparing each
    address with the trusted IP address list, configured with a
    prior call to **init**.  Processing halts when the IP address
    is not found in that list or when the list is exhausted.  In
    the latter case, the first address from the **header** list is
    returned.

EXAMPLE
=======
    ::
    
      sub vcl_init {
          remoteip.init("192.0.2.1, 127.0.0.0/8");
      }

      sub vcl_recv {
          set req.http.x-real-ip = remoteip.get(req.http.X-Forwarded-For);
          ...
      }

COPYRIGHT
=========

| Copyright (C) Sergey Poznyakoff
| License GPLv3+: GNU GPL version 3 or later
| <http://gnu.org/licenses/gpl.html>
| This  is  free  software:  you  are free to change and redistribute it.
| There is NO WARRANTY, to the extent permitted by law.

Return to:

Send suggestions and report system problems to the System administrator.

Generated by cgit.